summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2020-03-31ipsec: fix udp-encap in transport modeAlexander Chernavin2-3/+58
Now UDP enacapsulation doesn't work in transport mode with crypto algorithms that have iv_sz=8 like AES GCM or 3DES CBC. That happens because the inserted UDP header overlaps with the old IP header and gets filled before the information from the old IP header can be copied to a new IP header. The result is a broken packet: 00:03:39:620863: esp4-encrypt-tun esp: sa-index 3 spi 3464048590 (0xce792fce) seq 31 sa-seq-hi 0 crypto aes-gcm-128 integrity none udp-encap-enabled 00:03:39:620867: adj-midchain-tx ... 00:03:39:620868: ip4-rewrite ... 00:03:39:620869: GigabitEthernet0/8/0-output GigabitEthernet0/8/0 IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 00:03:39:620870: GigabitEthernet0/8/0-tx GigabitEthernet0/8/0 tx queue 0 ... IP4: 08:00:27:a9:6b:d6 -> 08:00:27:5a:dd:0c UDP: 10.255.0.10 -> 10.255.0.20 version 0, header length 0 tos 0x80, ttl 63, length 0, checksum 0x653e (should be 0xffff) dscp CS4 ecn NON_ECN fragment id 0x0000 UDP: 128 -> 0 length 0, checksum 0x0000 With this commit, fill UDP header after copying the IP headers in transport mode. Type: fix Change-Id: Ie9a6e562aa05a8378114329d6a9ff395189fa6a8 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-30tcp: reuse session infra for syns and resetsFlorin Coras6-88/+71
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I71df27049ef0193578f0c42f8f8bbd5c54e4d53e
2020-03-30session udp: flag for connected udpFlorin Coras6-7/+50
Type: improvement This can be used as alternative to udpc Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic3f7efe6728b25d4a8a0b61ddb36de66b4672c4f
2020-03-30vxlan: leverage vlib_get_buffers in vxlan_encap_inlineZhiyong Yang1-12/+14
vlib_get_buffers can save about 1.2 clocks per packet for vxlan encap graph node on Skylake. Type: improvement Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com> Change-Id: I9cad3211883de117c1b84324e8dfad38879de2d2
2020-03-30vppinfra: add support for avx512 alignment version of load and storeZhiyong Yang1-0/+8
Type: improvement Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com> Change-Id: Idfec9cb9370a8cf4966d3fdfa440496f21e17005
2020-03-30gso: fix the header parser to read onlyMohsin Kazmi3-6/+44
Previously, header parser sets the tcp/udp checksum to 0. It should be read only function for vlib_buffer_t. Type: fix Change-Id: I9c3398372f22998da3df188f0b7db13748303068 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-03-30interface: remove mtu clib_warning message from api handlerPaul Vinciguerra1-1/+0
Type: fix Change-Id: I85000cce698d44a96adcab7ff6aa37e7dcca51f7 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-03-27vcl: support for uword segmentsFlorin Coras3-12/+12
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ibfe203fda5a0c88b26eb50bee8a430dd2cfb7dca
2020-03-27quic: Check quicly version tag at compile timeMathiasRaoul15-561/+56
- updates the quicly version to 0.1.0-vpp - adds workaround for quicly_send()/assert_consistency() failure Type: feature Change-Id: I4c7e0ffc720ad9a685b89046a83646d59febd6cd Signed-off-by: MathiasRaoul <mathias.raoul@gmail.com> Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2020-03-27vppinfra: add clib_bihash_get_bucketDamjan Marion2-20/+13
Type: improvement Change-Id: I073bb7bea2a55eabbb6c253b003966f0a821e4a3 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-03-27docs ethernet: add docs for ethernet SectionPaul Vinciguerra2-0/+21
Type: docs Change-Id: I6ad92b35df3e0fecb1334511625eacf3e3d8925f Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-03-27docs: minor typos in configuring/startup.rstPaul Vinciguerra1-2/+2
Change-Id: I8a6596d7cfa84cb2c5ee2d847395e9cea69c5349 Type: docs Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-03-27build tests: fix 'test-wipe-papi' targetPaul Vinciguerra1-1/+1
Fix transposed terms. Type: fix Change-Id: Ibc3f5d5d9dbd81c9edf09ae5024c3ac4b1939d03 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-03-27acl: API cleanupJakub Grajciar20-1179/+1177
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I09fa6c1b6917936351bd376b56c414ce24488095 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-27docs: document lxd container bootstrap procedureDave Barach1-0/+130
Type: docs Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I9cfa52637e813f2b990688b35634e3af10c58f6a
2020-03-27dpdk: enable DPDK iAVF PMDChenmin Sun3-0/+23
This patch adds support for the DPDK iAVF PMD Type: feature Signed-off-by: Chenmin Sun <chenmin.sun@intel.com> Change-Id: I7bb0f621774e4c55b9b7309462e6591ce1b88fb6
2020-03-26acl: revert acl: api cleanupOle Trøan20-1183/+1095
This reverts commit aad1ee149403994194cf37cef4530b042ba7df3a. Reason for revert: Verify failure. Doesn't build. Type: fix Change-Id: I91b1b26ac43edde4853e4561a0083d0b3a06efee Signed-off-by: Ole Troan <ot@cisco.com>
2020-03-26acl: API cleanupJakub Grajciar20-1123/+1206
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: If90d753f129312400c4c3669bb86289d0c3e0d99 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-26session: fix coverity warningDave Barach1-1/+1
Type: fix Ticket: VPP-1837 Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ib5da600b7a40f775de7dc5b9aaa8d967e49e8632
2020-03-26nat: transitory timeout for TCP CLOSED stateKlement Sekera9-118/+329
Wait transitory timeout seconds before moving internal state of TCP session to CLOSED state per RFC 7857. This patch implements this functionality for endpoint-dependent NAT. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
2020-03-26svm: correct format_fifo_segmentRyujiro Shibuya2-4/+7
Type: improvement Signed-off-by: Ryujiro Shibuya <ryujiro.shibuya@owmobility.com> Change-Id: Ia8aef3695f12e09b087be79ebe40e758fb8105ad
2020-03-26build: use gcc-8 as default on ubuntu 18.04Damjan Marion1-0/+6
Type: improvement Change-Id: I34c9e95ad9160436cb62dec7a1a2d0ce94602ab7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-03-26tests: speed up ipsec unit tests executionFilip Tehlar1-54/+1
... by removing duplicit test cacses. There is little value in testing ESN flag when no integ algo is used. This patch removes such test cases. Type: improvement Change-Id: Iae5baa1d39ac32a65d1d28ad57771a87962d8bb3 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-26ikev2: fix wrong usage of BN_bn2bin()Filip Tehlar3-12/+56
This patch fixes 2 different crashes: 1) BN_bn2bin() returns bytes written, not actual key length. Use BN_bn2binpad() instead which adds padding. 2) Initiator may receive multiple sa-init responses for the same ispi which may result in crash. Remember first response and ignore any subsequent ones. Type: fix Change-Id: Ia1eac9167e3100a6894c0563ee70bab04f6a5f4f Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-26ikev2: dead peer detectionFilip Tehlar2-4/+95
Type: feature Change-Id: Ibc65d739583dc11735f993f4c7e7ee6d3c8f5b0a Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-25ikev2: fix gcm in ike protocolFilip Tehlar1-1/+1
Type: fix Change-Id: I746b94f494d059d2db5f47638c9f4e6bc4eb4045 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-25session: api to add new transport typesFlorin Coras21-103/+150
Type: feature Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If4dee6dba1ea942daa921d566b35cdecdda680ee
2020-03-25tcp: avoid updating rcv wnd in resetsFlorin Coras1-3/+1
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0884bf63db57b4b4dbccf41ab64c030b3fe4dde2
2020-03-25sr: Change the CLI keyword from address to prefix.Tetsuya Murakami2-3/+3
Change the CLI keyword from address to prefix in sr localsid command. Type: feature Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com> Change-Id: Icc3072404a106ab40e829d2d291e5c179a4443a8 Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com>
2020-03-25ip: Adding IP tables is no MP safeNeale Ranns1-2/+0
Type: fix it was marked MP safe in the CLI (which it shouldn't be) but it it not marked MP safe on the API. Change-Id: I4bdea498a510a8b406d13d62a899b6d03656f7e8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2020-03-25acl: Add CLI additionsNeale Ranns1-0/+254
Type: improvement Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I172d3d907f324d8cb21e73aa08ef66da029ed365
2020-03-25avf: fix rx queue refill on buffer alloc failureDamjan Marion1-6/+6
If buffer alloc fails, it may happend that rx queue will be stuck as old code only refills if at least one packet is received. Type: fix Change-Id: I388c4f8a9fb2c208bdc222e31b443cbe6b94af82 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-03-25nat: fix error countersKlement Sekera4-1/+21
Type: fix Change-Id: I021b1427362f4bdba1c0ebc9863c9143dd6b3cb7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-03-25map: fix hop limit expiration at brVladimir Ratnikov2-2/+29
Before this patch, packet was dropped in ip4-input, but ip4-map-t node dropped response due to 'security check failed' This patch checkes if hop_limit==1 and sets error and next frame and sends icmp6 response correctly Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: I85a6af58205b05754ef8c45a94817bb84f915c85
2020-03-24quic: disable vnet_crypto and batching if no crypto engines are loadedMathiasRaoul3-11/+33
Type: fix Change-Id: I95d3f8431b468cefc8777526dd3b988a299f0687 Signed-off-by: MathiasRaoul <mathias.raoul@gmail.com>
2020-03-24vcl: fix ldp recv return on errorFlorin Coras1-1/+4
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0875705d3a0c95f2781b0595ef27a30486438aae
2020-03-24vcl: fix ldp writev 0 vecsFlorin Coras1-12/+8
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Iec5db8dcf3a019b731e15fd79d0208d6eb10943b
2020-03-24map: fix translation of icmp6 error messagesAlexander Chernavin2-1/+131
Translation of ICMPv6 error messages to ICMP error messages fails because the sender port is not set that leads to securtiy check failure. With this commit, during ICMPv6 error messages translation, get the sender port value from the inner packet. Type: fix Change-Id: I1ee295a3685fab4837172edfb629a699f49afbee Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-24avf: proper promisc handlingDamjan Marion2-7/+27
Type: fix Change-Id: Id20a0fe77372602fd211156ccee01c18d829d8df Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-03-23tcp: add lost and in flight to byte trackerFlorin Coras2-2/+15
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I3b0041d72d835cbb11e803cc56ac4c68a68238a0
2020-03-23ikev2: fix typo in .api descriptionVratko Polak1-2/+1
Type: style Change-Id: Ie81eb7e3d872923daaa8ae8dad060a4da85349c5 Signed-off-by: Vratko Polak <vrpolak@cisco.com>
2020-03-23ipsec: Revert "ipsec: fix chained ESP"Florin Coras3-146/+51
This reverts commit c2c1bfd9b72aec88526c06479b128725eb525866. Reason for revert: Seems it's breaking ipsec esp tests Type: fix Change-Id: Iac590eee23cbf92a10c62dafa789aa9c3b2284dd Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-03-23docs: add container functional test writeupDave Barach3-1/+512
Fix global copyright date Type: docs Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I7f010d63ec010982f2c8c8388f14214fa6ced0a7
2020-03-23srv6-mobile: Fix the coverity issuesTetsuya Murakami1-33/+39
Fix for the coverity issues. Type: fix Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com> Change-Id: I6bf8a874a9a94b9b7d62da047a401eda8a448567 Signed-off-by: Tetsuya Murakami <tetsuya.mrk@gmail.com>
2020-03-23sr: srv6 API cleanupJakub Grajciar10-338/+217
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I3c348ad2fca8bb3d9a246af7a2aa9dc9c33f57c3 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-23ipsec: fix chained ESPFilip Tehlar3-51/+146
This fixes a special case when buffer chain enters decrypt node and becomes a single buffer after decryption. Type: fix Change-Id: I1d4da029b952baa97400adb7173aa63fd97d916b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-23ipsec: increment no-tunnel counter in ipsec-tun-inputAlexander Chernavin1-0/+3
If "no-tunnel" error erises, you will not see it in the "show errors" output because the packet will be punted. That fact complicates troubleshooting. Type: improvement Change-Id: Ic08347f81131a4a73a05b66acbfb02797373f5ab Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-23virtio: vhost gso checksum error when both indirect and mrg_rxbuf are offSteven Luong1-20/+19
Turn on gso, turn off both indirect and mrg_rxbuf caused traffic received and sent with checksum error. The problem is we are not mapping the hdr correctly in the shared memory address. Type: fix Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I7ef3bc2755544167b0e624365988111b17399e89
2020-03-23tap: fix the numa/queue for buffersMohsin Kazmi1-1/+1
Type: fix Change-Id: Ib320171708bebde6d1dae0b2c665f9bcfc9102db Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-03-23virtio: improve error handlingMohsin Kazmi1-9/+30
Type: improvement Change-Id: I134465760272ceb29f85486cba838d8687696bbf Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>